Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission issues with Docker in networkingMode mirrored #10981

Open
1 of 2 tasks
fipro78 opened this issue Jan 5, 2024 · 3 comments
Open
1 of 2 tasks

Permission issues with Docker in networkingMode mirrored #10981

fipro78 opened this issue Jan 5, 2024 · 3 comments
Labels
network

Comments

@fipro78
Copy link

fipro78 commented Jan 5, 2024

Windows Version

Microsoft Windows [Version 10.0.22631.2861]

WSL Version

2.0.15.0

Are you using WSL 1 or WSL 2?

  • WSL 2
  • WSL 1

Kernel Version

5.15.133.1-1

Distro Version

Ubuntu 22.04

Other Software

I have installed docker into the WSL distro and I want to build and run a container for my Java application. The goal is to create a checkpoint using OpenJ9 CRIU support. To do this the container needs to be started with --security-opt seccomp=unconfined

The attached zip archive contains the sample application and the scripts to reproduce the issue:
criu_test.zip

Repro Steps

  • Have networkingMode = mirrored in the .wslconfig file
  • Install docker into the WSL distro
  • Extract the attached ZIP archive attached in "Other Software" into the WSL distro
  • Execute the script crac_test/criu_executable/build_criu_image_docker.sh

Expected Behavior

The script finishes and a docker container with checkpoint data is with the name osgi_deployment_criu is created.

Actual Behavior

The script blocks at creating the checkpoint inside the container. If you log into the container via

docker exec -it osgi_deployment_criu_checkpoint sh

and then look into the checkpoint logfile via

cat checkpointData/logs

you will see the following entry at the bottom

Error (compel/src/lib/ptrace.c:27): suspending seccomp failed: Operation not permitted

If I switch to networkingMode = NAT the script finishes as expected.

Diagnostic Logs

No response
@OneBlue OneBlue added the network label Jan 6, 2024
@chanpreetdhanjal
Copy link

Hi. Can you please collect networking logs by following the instructions below?
https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues

@fipro78
Copy link
Author

fipro78 commented Jan 9, 2024

Sure, attached are the networking logs from reproducing the issue.

WslNetworkingLogs-2024-01-09_06-38-39.zip

@CatalinFetoiu
Copy link
Collaborator

hello @fipro78, thanks for reporting the issue and for your patience.

Unfortunately, at the moment there is no workaround for this issue, as mirrored networking mode requires registering some seccomp filters and the presence of those filters is causing the failure you pointed out.

@fipro78 fipro78 mentioned this issue Jul 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
network
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fipro78 @OneBlue @CatalinFetoiu @chanpreetdhanjal